About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Impact: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis

Description: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel.

Impact: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis

Description: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry.

Impact: Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis

Description: An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel.

Additional recognition

We would like to acknowledge an anonymous researcher for their assistance.

iBooks

We would like to acknowledge Sem Voigtländer of Fontys Hogeschool ICT for their assistance.

Kernel

We would like to acknowledge Brandon Azad for their assistance.

LaunchServices

We would like to acknowledge Alok Menghrajani of Square for their assistance.

Quick Look

We would like to acknowledge lokihardt of Google Project Zero for their assistance.

Security

We would like to acknowledge Marinos Bernitsas of Parachute for their assistance.

Terminal

We would like to acknowledge an anonymous researcher for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.